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This listing of claims replaces all prior versions, and 
listings of claims in the instant application: 

Listing of Claims: 



1. (Currently amended) A method comprising: 
intercepting inbound traffic on a host computer system; 
copying the inbound traffic to an inbound traffic memory 

area, the copying the inbound traffic generating copied inbound 
traffic ; 

releasing the inbound traffic; 

intercepting outbound traffic on the host computer system; 

buffering the outbound traffic in an outbound traffic 
memory area, the buffering the outbound traffic generating 
buffered outbound traffic; 

comparing at least a portion of outbound traffic on a — the 
host computer system to at least a portion of inbound traffic 
on the host computer system, wherein the inbound traffic is 
received on the host computer system from a source external to 
the host computer system, and wherein the outbound traffic is 
generated on the host computer system for transmission from the 
host computer system to a destination external to the host 
computer system, and further wherein the at least a portion of 
the outbound traffic is subsequent in time to the at least a 
portion of the inbound traffic; 

determining if malicious code is detected on the host 
computer system based on the comparing; and 

when malicious code is detected, providing a notification 
of the malicious code detection ; and 

if malicious code is not detected, releasing the buffered 
outbound traffic . 

2. (Canceled) 
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3. (Original) The method of Claim 1, wherein the 
comparing is performed using a similarity comparison technique. 

4 . (Canceled) 

5. (Original) The method of Claim 1, wherein the 
inbound traffic is received at the host computer system from a 
source port, 

and wherein the outbound traffic is for sending to a 
destination port, 

and further wherein the source port and the destination 
port are the same port . 

6. (Previously presented) The method of Claim 1, 
wherein the inbound traffic is received on the host computer 
system from a source port, 

and wherein the outbound traffic is for sending to a 
destination port, 

and further wherein the source port and the destination 
port are different ports. 

7. (Previously presented) The method of Claim 1, 
further comprising: 

implementing protective actions. 

8-10. (Canceled) 

11. (Currently amended) The method of Claim— 3r£ 1, 
wherein the comparing comprises: 

comparing at least a portion of the copied inbound traffic 
with at least a portion of the buffered outbound traffic. 

12-17. (Canceled) 
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18. (Currently amended) The method of Claim-^r& 1, 
further comprising: 

prior to the copying buffering the outbound traffic, if 
the outbound traffic correlates to a prior name resolution 
lookup performed on the host computer system, releasing the 
outbound traffic. 

19. (Currently amended) The method of Claim-iS__l, 
wherein the inbound traffic is copied to the inbound traffic 
memory area on a per port basis, 

and wherein the outbound traffic is copied buffered to the 
outbound traffic memory area on a per destination port basis. 

20. (Previously presented) A method comprising: 
intercepting inbound traffic on a host computer system, 

wherein the inbound traffic is received on the host computer 

system from a source external to the host computer system; 

copying the inbound traffic to an inbound traffic memory 

area, the copying the inbound traffic generating copied inbound 

traffic- 
releasing the inbound traffic; 

intercepting outbound traffic on the host computer system 
wherein the outbound traffic is generated on the host computer 
system for transmission from the host computer system to a 
destination external to the host computer system; 

buffering the outbound traffic in an outbound traffic 
memory area, the buffering the outbound traffic generating 
buffered outbound traffic- 
comparing at least a portion of the copied inbound traffic 
with at least a portion of the buffered outbound traffic- 
determining if malicious code is detected on the host 
computer system based on the comparing; 
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if malicious code is detected, providing a notification of 
the malicious code detection; and 

if malicious code is not detected, releasing the at least 
a portion of the buffered outbound traffic. 

21. (Original) The method of Claim 20, wherein the 
comparing is performed using a similarity comparison technique. 

22. (Original) The method of Claim 20, wherein the at 
least a portion of the buffered outbound traffic is subsequent 
in time to the at least a portion of the copied inbound 
traffic . 



23. (Original) The method of Claim 20, further 
comprising : 

prior to buffering the outbound traffic, if the outbound 
traffic correlates to a prior name resolution lookup performed 
on the host computer system, releasing the outbound traffic. 

24. (Original) The method of Claim 20, wherein the 
inbound traffic is copied to the inbound traffic memory area on 
a per port basis, 

and wherein the outbound traffic is buffered in the 
outbound traffic memory area on a per destination port basis. 

25. (Previously presented) The method of Claim 20, 
further comprising: 

wherein if malicious code is detected, implementing 
protective actions. 
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26. (Currently amended) A computer-program product 
comprising a computer readable medium configured to store 
computer program code comprising: 
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a detection application for intercepting inbound traffic 
on a host computer system; 

the detection application further for copying the inbound 
traffic to an inbound traffic memory area, the copying the 
inbound traffic generating copied inbound traffic; 

the detection application further for releasing the 
inbound traffic; 



the detection application further for intercepting 
outbound traffic on the host computer system; 

the detection application further for buffering the 
outbound traffic in an outbound traffic memory area, the 
buffering the outbound traffic generating buffered outbound 
traffic; 



a — the detection application further for comparing at least 
a portion of outbound traffic on a — the host computer system to 
at least a portion of inbound traffic on the host computer 
system, wherein the inbound traffic is received on the host 
computer system from a source external to the host computer 
system, and wherein the outbound traffic is generated on the 
host computer system for transmission from the host computer 
system to a destination external to the host computer system, 
and further wherein the at least a portion of the outbound 
traffic is subsequent in time to the at least a portion of the 
inbound traffic; 

the detection application further for determining if 
malicious code is detected on the host computer system based on 
the comparing; aftd 

when malicious code is detected, the detection application 
further for providing a notification of the malicious code 
detection ; and 

when malicious code is not detected, the detection 
application further for releasing the buffered outbound 
traffic . 
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27. (Previously presented) The computer-program product 
of Claim 26, the computer readable medium configured to store 
computer program code further comprising: 

wherein the comparing is performed using a similarity 
comparison technique. 

28. (Previously presented) The computer-program product 
of Claim 26, the computer readable medium configured to store 
computer program code further comprising: 

wherein if malicious code is detected, the detection 
application further for implementing protective actions. 



GUNNISON. McKAY & 

HODGSON. L.L.P. 
Garden West Office Plaza 
1 900 Garden Road. Suite 220 
Monterey. CA 93940 

(831)655-0880 
Fax {831)655-0888 



Page 7 of 9 



